FTC Online Privacy Protection Campaign Kicks Into High Gear
As the Federal Trade Commission settles with a company involving allegations of a massive data breach that exposed medical records, it continues its work evaluating privacy practices of businesses in the Internet age.
By Kenneth Corbin
WASHINGTON — As the Federal Trade Commission continues its work in evaluating the privacy practices of
businesses in the Internet age, agency staffers are focusing not only on what personal information companies are
collecting and how they’re using it, but also on the security measures in place to keep that data out of the hands of
would-be identity thieves and other bad actors.
Speaking here at an event to mark Data
Privacy Day, an annual initiative led by the nonprofit National Cyber Security Alliance, Commissioner Maureen
Ohlhausen stressed that the FTC’s privacy work is closely coupled with its consideration of industry security
When businesses fail to implement or enforce strong security practices, they run the risk of suffering a major data
breach that can expose sensitive information about their customers, severely damaging the firm’s brand and inviting an
enforcement action from federal authorities, Ohlhausen warns.
“Data is an increasingly vital asset and companies need to protect their … customers’ personal information from theft
and unauthorized access that can hurt customers and harm the business’s reputation. That’s where data security comes
in. Data security is part of
the broader topic of data privacy,” she says. “Regardless of how one feels about the use of consumer data for marketing
or targeting purposes, I believe we can all agree that failure to take reasonable precautions to secure data identity
thieves and other malicious parties hurts consumers and legitimate businesses alike.”
The timing of Ohlhausen’s keynote address was apt. Earlier today, the FTC announced that it had reached a
settlement with Cbr Systems, the operator of a cord blood bank, concerning allegations of a data
breach that may have exposed sensitive information of nearly 300,000 consumers.
The FTC’s complaint against Cbr Systems, which stores umbilical cord blood and tissue, dates to December 2010,
when unencrypted backup tapes, a laptop and other equipment were stolen from an employee’s car, according to the
commission. As a result, sensitive health information, credit card and Social Security numbers and other data were
compromised, and the laptop and a hard drive that were stolen included passwords and protocols that could have
provided access to Cbr Systems’ internal network.
The FTC based its complaint on its authority under the section of its charter statute concerning unfair or deceptive
and procedures for safeguarding its customers’ information, and that it courted further risk by carelessly transporting
portable storage devices.
Under the settlement agreement, Cbr Systems submitted to 20 years of independent audits of its data-management
The FTC has brought more than three dozen complaints against companies concerning data breaches, Ohlhausen
said. Many of those cases had little to do with the technical protections in place to safeguard data, but instead were the
product of soft policies, uneven implementation or a weak chain of custody.
“This really seems very simple, but many of the data security cases that the commission has brought involve
companies who engaged in careless practices, such as dumping sensitive medical or financial information into open
trash bins, and not even shredded,” Ohlhausen says.
Over the coming year, the FTC intends to ramp up its scrutiny of data brokers, a sector that the agency has ide
ntified as an area of concern for consumer privacy. In December, the FTC sent letters to nine leading brokers asking
for detailed information about their data-collection practices, with responses expected next month. At that point,
Ohlhausen says, the FTC’s in-house economists and other agency staffers will review the information with an eye toward
recommendations for reforms within the industry, and potentially legislation authorizing new regulations.
In the meantime, lawmakers could move to pass a bill to establish a nationwide requirement for notifying customers
whose information might have been compromised in a data breach. National data-breach notification legislation, long
supported by many in the tech sector, would preempt the patchwork of requirements across the 46 states with data-
breach laws on the book.
“Although some of the laws are similar, they are not identical. And this means that companies need to comply with
separate state notice requirements, and consumer may get notifications that are different and are triggered by different
kinds of breaches,” Ohlhausen says, adding that she believes there is a good chance that Congress will pass a bill this
year. “I believe a single standard would let companies know what to do and let consumers know what to expect.”
Ohlhausen also advises business to take steps to limit their risk of a data breach with common-sense measures like
incorporating security and privacy protections in the design phase of their products and systems, securing storage, and
promoting privacy through education and training programs across business units.
Then, too, they must ensure that they are living up to the security and privacy assurances they make to their
“It’s also really critical that businesses honor the promises they make to protect consumer privacy, and this is really
at the heart of the commission’s law enforcement against deceptive practices,” Ohlhausen says. “But because breaches
may still occur even in the most security-conscious company, it’s also critical to have a plan for responding to data
breaches before they happen. So putting together a response plan now may help reduce the impact of a data breach on
a business and its customers later.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.